lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20150220104418.GD25076@gmail.com>
Date:	Fri, 20 Feb 2015 11:44:18 +0100
From:	Ingo Molnar <mingo@...nel.org>
To:	Jiri Kosina <jkosina@...e.cz>
Cc:	Josh Poimboeuf <jpoimboe@...hat.com>,
	Vojtech Pavlik <vojtech@...e.com>,
	Peter Zijlstra <peterz@...radead.org>,
	Andrew Morton <akpm@...ux-foundation.org>,
	Ingo Molnar <mingo@...hat.com>,
	Seth Jennings <sjenning@...hat.com>,
	linux-kernel@...r.kernel.org,
	Linus Torvalds <torvalds@...ux-foundation.org>
Subject: live patching design (was: Re: [PATCH 1/3] sched: add
 sched_task_call())


* Jiri Kosina <jkosina@...e.cz> wrote:

> On Fri, 20 Feb 2015, Ingo Molnar wrote:
> 
> > So if your design is based on being able to discover 
>
> > 'live' functions in the kernel stack dump of all tasks 
> > in the system, I think you need a serious reboot of the 
> > whole approach and get rid of that fragility before any 
> > of that functionality gets upstream!
> 
> So let me repeat again, just to make sure that no more 
> confusion is being spread around -- there are aproaches 
> which do rely on stack contents, and aproaches which 
> don't. kpatch (the Red Hat solution) and ksplice (the 
> Oracle solution) contains stack analysis as a conceptual 
> design step, kgraft (the SUSE solution) doesn't.

So just to make my position really clear: any talk about 
looking at the kernel stack for backtraces is just crazy 
talk, considering how stack backtrace technology stands 
today and in the reasonable near future!

With that out of the way, the only safe mechanism to live 
patch the kernel (for sufficiently simple sets of changes 
to singular functions) I'm aware of at the moment is:

 - forcing all user space tasks out of kernel mode and
   intercepting them in a safe state. I.e. making sure that 
   no kernel code is executed, no kernel stack state is 
   used (modulo code closely related to the live
   patching mechanism and kernel threads in safe state, 
   lets ignore them for this argument)

There's two variants of this concept, which deals with the 
timing of how user-space tasks are forced into user mode:

  - the simple method: force all user-space tasks out of 
    kernel mode, stop the machine for a brief moment and be 
    done with the patching safely and essentially 
    atomically.

  - the complicated method spread out over time: uses the 
    same essential mechanism plus the ftrace patching 
    machinery to detect whether all tasks have transitioned 
    through a version flip. [this is what kgraft does in 
    part.]

All fundamental pieces of the simple method are necessary 
to get guaranteed time transition from the complicated 
method: task tracking and transparent catching of them, 
handling kthreads, etc.

My argument is that the simple method should be implemented 
first and foremost.

Then people can do add-on features to possibly spread out 
the new function versions in a more complicated way if they 
want to avoid the stop-all-tasks transition - although I'm 
not convinced about it: I'm sure sure many sysadmins would 
like the bug patching to be over with quickly and not have 
their systems in an intermediate state like kgraft does it.

In any case, as per my arguments above, examining the 
kernel stack is superfluous (so we won't be exposed to the 
fragility of it either): there's no need to examine it and 
writing such patches is misguided...

Thanks,

	Ingo
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ